Statement of Applicability

The Statement of Applicability (SoA) is a mandatory document in ISO 27001 that maps every control in Annex A to your organization's risk treatment decisions. For each of the 93 controls in ISO 27001:2022 (or 114 controls in the 2013 version), the SoA states whether the control is applicable, whether it has been implemented, and provides justification for any exclusions.

Why the SoA Matters

The SoA is one of the first documents an ISO 27001 auditor will request. It serves as the bridge between your risk assessment and your control environment. Without it, there is no way to verify that your security controls are driven by identified risks rather than arbitrary decisions.

The SoA also functions as a management-level summary of your entire security posture. It tells leadership which controls are in place, which are planned, and which risks are being accepted through control exclusions.

What the SoA Contains

For each Annex A control, the SoA typically records:

• Control reference — The control number and name from Annex A
• Applicability — Whether the control is applicable to the organization
• Implementation status — Whether the control is fully implemented, partially implemented, or planned
• Justification for inclusion — Which risks from the risk assessment the control addresses
• Justification for exclusion — Why non-applicable controls are excluded (must be a valid business reason)

Common Mistakes

Excluding controls without justification. Every exclusion must have a documented rationale tied to your risk assessment. Saying a control is "not relevant" without explaining why is an audit finding.

Treating it as static. The SoA must be updated whenever your risk assessment changes, new controls are implemented, or controls are retired. Version control is essential.

Disconnecting it from the risk register. The SoA should trace directly to risks in your risk register. If auditors cannot follow the thread from risk to treatment to control, they will raise a nonconformity.